Overview

overview

10

Static

static

3

JaffaCakes...8c.exe

windows7-x64

10

JaffaCakes...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-02-2025 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e8b76c5f22a01407f3c87d8f99499e8c.exe

  • Size

    1.4MB

  • MD5

    e8b76c5f22a01407f3c87d8f99499e8c

  • SHA1

    89d075a3f606348bec51905773963bc35c0ca6a1

  • SHA256

    9882e53c961cfe3ddb113b53ba97b93c0f1d2e9a02d19238ceafb5bcae530c65

  • SHA512

    caa091d61be59e0856be9736c259391a1d4da432a586bda381bfbb8fd4846a48ad2ae9ad4c5ce6d120967c5cabbb92b4a073e7ea175ca50600f0cc934a88bb13

  • SSDEEP

    24576:dU4oT0o6lv+ZiGAvA0A8eCPkFyF3RfOo2HTuX63NDVw1dg0U+dCaWEKoxFKYdyhI:dULT0oegihAP8eFyp/E3NJ2d6aZTxUh6

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8b76c5f22a01407f3c87d8f99499e8c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8b76c5f22a01407f3c87d8f99499e8c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\SysWOW64\KAKIBT\EAC.exe
      "C:\Windows\system32\KAKIBT\EAC.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1652
    • C:\Users\Admin\AppData\Local\Temp\RealPlayerSPGold_br.exe
      "C:\Users\Admin\AppData\Local\Temp\RealPlayerSPGold_br.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe
        "C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://switchboard.real.com/player/installer.html?cd=backup_download&distcode=R51BRD&prod=RealPlayer&ver=12.0&li=br&oem=rp12_br&loc=fail
          4⤵
          • Modifies Internet Explorer Phishing Filter
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
            5⤵
            • Downloads MZ/PE file
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3e87ba37d3a84e18cd624de3c573b999

    SHA1

    7e9114d444aa8fa24de27619132d3020b4459377

    SHA256

    f12b42433a3b24abdc56c7cb764ba4bb0b91047857a08466e4a1225f76425fe0

    SHA512

    ad55537ce20b92d7475dbb7d007431a406c1ecc90589f446017cd002b0aa7eb217cf7977dd6bae9fdb86f9445f0d5f3e62a0b88eccec5a3deb1380cb7ff81c3e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ba390d67c3d4773ab44db3b0a39dc7c9

    SHA1

    8c4f29df7671c616332801c2604d7265651d780c

    SHA256

    fcc0354e686129a671aa710fb3b634fa063cb72e5dcd9c532b55ed3222105057

    SHA512

    57d0b2e0137b22c2bbf19933f4f598ef1bc46ec30a9111fabad88c2722e286993965dec5926079b5195de562ed206940ee656d5bd869f2c62542815abbae0510

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1fa70298c95e30ac1aadd2a4cd42a39c

    SHA1

    9c044306010702dfc3ea785f6f30d3894847d194

    SHA256

    2bb477ddda5a36795b2294924ef0ba77e71c7b1e3ce4f399b733df80f9fee4fc

    SHA512

    1e3a3f4ad7d0500a4b97296c99165e1f56d0850f0ecdd76667e07e48a34020fc9154ad84c16aaa3042f66c829246ebe5d1dd272b3d25afddb374e5be0125b8e4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    eb3591b3487f496cf41918ceccc977cb

    SHA1

    ec315e80f124268dd04b5d932445151cffed09c4

    SHA256

    f4b9fdd6d06ced71d9ce08b020a9f5167bba1b81bb9414c28fced64b05e44d63

    SHA512

    c6557859b29a93b99e8648210d568d223e450a6492768e82ed15c8b1406b3ae6caabdeb7b4b1ad5504c2d0089f3900e103d4da7fffb42efb1c2f05a7c60aeb2c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    af1ee1e8f3e04967a2cb6d8e865a4b9c

    SHA1

    0a7837353f8d673e8e13c38271b859b3626f9814

    SHA256

    16ad5a064f830c14e1706ca852369f27b8c8be9a98f05f15ed562805d61e5bb3

    SHA512

    0e4aba81efbbedbf3ca6108a6c9cd5bb68d0be469a408657ae113e061f4b2a04756769f2aff2ebf5649ee10eae2ed1c2b6ebcab41bc54cd848b5c6955449ed1c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    001fe10022771b82793be9400fcff7a4

    SHA1

    a226e3f4910c2ed4f21c67898e4b0e1d8733ad66

    SHA256

    f22c53d5bae24f8b4798cf6e1264c32fd0accc9f2633347f5b5f1db2636094fa

    SHA512

    f64611a99dc3d97bf9dce523327373deaafdca23ea2b9408815d7b7f88312bbaa0ce993a79d3fcb0ad6b4c891377d43c7713f1fb3338b45e7275323d6f942cc8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    15c00aab64ccda1142aba1e7e3eb4544

    SHA1

    2bebdd14ce5370e612c9c9154adc4709a55ef452

    SHA256

    8b95c4adfde3de4500e221a77dac13cc4b218b9123ea90092265862e55d1db30

    SHA512

    6fe0225aa3cda0019ea1ed26591e4a49b7a3ddaa2a7cb7a4de6f81a63ae86c6a189bfeef237a1d055e3ac1fb0521563fcaca0eef045ecde05385f1c4fbeb1d7a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    614c35a9296bb89cb86d4514f149f075

    SHA1

    b773becd2cdf6bdb79f78f5ed3bb2c564ece9157

    SHA256

    ab8d6d73da4c41cce47f1b5dd023af7b526c5fa6442982fab84df227eacc7eba

    SHA512

    0d887405d8515c01370b976ee9cc4f6ee3839542cfcf523bc33df1661afa21a636d758ef6707e62fa4970ed0793867c9ac221665963b9cf2f1104c0ca7b94821

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9cea919eb063fb70b5a7e5aff9e27c31

    SHA1

    aeb8c777e2b08b83dbd80c68c576bb26505ec96c

    SHA256

    cee8026209cf4c30ac1b26cb2889b3e60a3a389433783363a107c9b4bdcd4c7e

    SHA512

    a3f96d8f4e6326e9f9a5848695d5511f6a2a7ba871962f407abc04c88dfecb22b1f3a60192ab65639b72479f8e98f4a33cb928249feb548e59e3bd0fccd48909

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    404916db0baee1cbf2d8c02709e191dc

    SHA1

    f84c7abeaaeb8ab794a5412b0937d244836b27da

    SHA256

    d3b8f1e25b436ddbec76af7f1ea4a477d41ac9ff43a69f64ce0defcc9dbe91f6

    SHA512

    dff3ecb79fa3f13dd1c7045272bc09c97125f1d37ecaad932dd11ab895dbb5a3ce8a7267fada888cca2e31e0ee5db7741b5db37cb04b904534d327266a5115f0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b6f881950b2928ac14f838fcefe5b462

    SHA1

    a3086645eee1d2a78d260969d500ba139ad1c042

    SHA256

    2b81e7ccd72acabd6f7f66b37adf8461b65942c28f155e4d2338b3b4ea724b71

    SHA512

    45962485e7583f06409bef1cae8b2ed718a7634b834740352e8fe124345891c6355d249632e7b0adb6816939733303d7ff6f133ec75448baf8d5443273bbef87

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\log[1].txt
    Filesize

    24B

    MD5

    5751d1aafdb7375cbd1bb221e286ceba

    SHA1

    5c0e3ed711e225cc1a33f32e0d3fe18c86754eb0

    SHA256

    5bc8f416a15291783d353da675b9283c4e06e547d9fd93f89f1962fcb9ccf431

    SHA512

    0d598f894016a0fe9cbe63c32726c1885ea9d30a3828586f998a27466846e545e8463b58e2bd16d5267bb8648f30ce077d12e2523eb47463999175b0ed454f31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF597.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF646.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SA7F1VLE.txt
    Filesize

    93B

    MD5

    7e41220538f160dffb21f062b8a54b70

    SHA1

    f3b8be0ef0258bf7429038af6dc93af8478c17a7

    SHA256

    a392e05379268d96a1e02cae135143b73610ecc8685ab648f360597612aeacb3

    SHA512

    1c528c3f08e68debaa44f2df8f7bc6e2cda6cbd57a80d0fe1301ea427a6de92505722f906bddda142c01c85ab6f5a3889e9e5b0404af85f92ba81e9dfa1284d4

    Download Submit

  • C:\Windows\SysWOW64\KAKIBT\AKV.exe
    Filesize

    456KB

    MD5

    48cfaed4d566c34716326302b49bdad2

    SHA1

    566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

    SHA256

    54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

    SHA512

    96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

    Download Submit

  • C:\Windows\SysWOW64\KAKIBT\EAC.001
    Filesize

    60KB

    MD5

    a15c556f17d7db8287e023138942d5db

    SHA1

    880bf8ec944120830dc2e2e040e5996e4e0e6c83

    SHA256

    f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

    SHA512

    930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

    Download Submit

  • C:\Windows\SysWOW64\KAKIBT\EAC.002
    Filesize

    43KB

    MD5

    daabecdfba287a3333b60ae82211acd7

    SHA1

    e67b4c7bf0dd71ad47263a58bb60be4bce504b84

    SHA256

    12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

    SHA512

    937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

    Download Submit

  • C:\Windows\SysWOW64\KAKIBT\EAC.004
    Filesize

    1KB

    MD5

    3b0c056233307079488e33c717f60496

    SHA1

    f7166b718a46336c58bdd159b237963d4215f7ab

    SHA256

    523d032055ae460a7c8dcbed99464bb10f6f65949d04ef78a19b4367a77a2846

    SHA512

    7ea75cf46d4c1b279ca1a61240ec1f094d37f2a6aa34fa43f0ff981647c9d98ab3f3d59b696f3a9b5440e7fbb3fb8e1c1d0aff0a0c53e90466f5837e2d3ba6a4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RealPlayerSPGold_br.exe
    Filesize

    575KB

    MD5

    0b89bcafa8c77b6343b87e048c5a2ffc

    SHA1

    a9b9cc7b87de0a6a7bbb7340f92d593f66e82530

    SHA256

    89b8b2f88f5b65472c639f5182ae48c0be2eaa3979c81ea4d242fe0bcc9d09c4

    SHA512

    62dbd7ff46ab22b37812292f80630289178225bbb25f759cc840225ec7143cc7f42921a1617d1e29d3dc3ad981fd82e68546f2143e68817372945eb917521c6c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\rnsetup0.exe
    Filesize

    485KB

    MD5

    6e89640272a46b9c511abfafd7943dbf

    SHA1

    40f80429ee76c27f7de6a2a8272fdc22db7df5ee

    SHA256

    180b41bf6f2f1a3987425219011a2a758bd32a0cb2ea8aed18847ebdc332e98c

    SHA512

    49bb513fe703f8602d0871d96ad45f468755ca2ce0e7cbf31aa8210ed0dd817dad11e7dd31d4d7b07fc8c12bbc72896007cac3cb82f7cb2042bdaa5748ba3e4d

    Download Submit

  • \Windows\SysWOW64\KAKIBT\EAC.exe
    Filesize

    1.7MB

    MD5

    f3819a6cab8ae058254c4abb3844d87e

    SHA1

    0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

    SHA256

    3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

    SHA512

    dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

    Download Submit

  • memory/1652-78-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1652-15-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download